PatchSiren cyber security CVE debrief
CVE-2026-47684 Sync-in CVE debrief
CVE-2026-47684 is a HIGH severity vulnerability in Sync-in Server, a secure, open-source platform for file storage, sharing, collaboration, and syncing. The bug allows for SSRF protection bypass on dual-stack systems due to a flawed private IP blocklist regex used in the URL download feature, which fails to match IPv4-mapped IPv6 addresses. This issue was fixed in version 2.3.0.
- Vendor
- Sync-in
- Product
- server
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Users of Sync-in Server versions prior to 2.3.0 should upgrade to 2.3.0 to fix the vulnerability.
Technical summary
The private IP blocklist regex used in the URL download feature of Sync-in Server does not match IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1), allowing SSRF protection to be bypassed on dual-stack systems. This was fixed in version 2.3.0.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Sync-in Server version 2.3.0 or later.
Evidence notes
The CVE-2026-47684 record was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-47684). Details can be found on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-47684).
Official resources
CVE-2026-47684 was published on 2026-06-16T15:16:41.063Z and modified on 2026-06-16T19:16:55.613Z.